Cryptographic method and apparatus for non-linearly merging a data block and a key

ABSTRACT

The method and apparatus are used for cryptographically converting a digital input block into a digital output block. The apparatus  400  comprises first input means  410  for obtaining the digital input block and second input means  440  for obtaining a key K 1 . Cryptographic processing means  420  of the apparatus  400  convert the digital input block into the digital output block by merging a selected part M 1  of the digital input block with the key K 1  and producing a data block B 1  which non-linearly depends on M 1  and K 1.  The merging is performed in one, sequentially inseparable step. Output means  430  are used to output the digital output block of which a selected part is derived from B 1.

[0001] The invention relates to a method for converting a digital inputblock into a digital output block; said conversion comprising the stepof merging a selected part M1 of said digital input block with a firstkey K1 and producing a data block B1 which non-linearly depends on saidselected part M1 and said first key K1, and where a selected part ofsaid digital output block is derived from said data block B1.

[0002] The invention further relates to an apparatus forcryptographically converting a digital input block into a digital outputblock; said apparatus comprising first input means for obtaining saiddigital input block; second input means for obtaining a first key K1;cryptographic processing means for converting the digital input blockinto the digital output block; said conversion comprising merging aselected part M1 of said digital input block with said first key K1 andproducing a data block B1 which non-linearly depends on said selectedpart M1 and said first key K1, and where a selected part of said digitaloutput block is derived from said data block B1; and output means foroutputting said digital output block.

[0003] The Data Encryption Standard (DES) of the National Bureau ofStandard [FIPS publication 46, Jan. 15, 1977] describes a widely usedalgorithm for converting a digital input block into a digital outputblock. Such an algorithm is generally referred to as a block cipher. TheDES algorithm is used for encrypting (enciphering) and decrypting(deciphering) binary coded information. Encrypting converts intelligibledata, referred to as plaintext, into an unintelligible form, referred toas ciphertext. Decrypting the ciphertext converts the data back to itsoriginal form. In the so-called electronic code book mode, DES is usedto encrypt blocks of 64 bits of plaintext into corresponding blocks of64 bits of ciphertext. In this mode, the encryption uses keys which arederived from a 64 bit key, of which 56 bits may be freely selected. FIG.1 shows the overall structure of DES during encrypting. In theencrypting computation, the input (64 bit plaintext) is first permutedfrom 64 bits into 64 bits using a fixed permutation IP. The result issplit into 32 left bits L₀ and 32 right bits R₀. The right bits aretransformed using a cipher function f(R₀,K₁), where K₁ is a sub-key. Theresult f(R₀,K₁) is added (bit-wise modulo 2) to the left bits, followedby interchanging the two resulting 32 bit blocks L₀⊕f(R₀,K₁) and R₀.This procedure is continued iteratively for a total of 16 rounds. At theend of the last round the inverse permutation of the initial permutationIP is applied.

[0004] In the calculation of f(R_(i),K_(i+1)) the 32 right bits R_(i)are first expanded to 48 bits in the box E, as illustrated in FIG. 2.According to a given table this expansion is performed by taking someinput bits twice as an output bit and others only once. Then, theexpanded 48 bits are added (bit-wise modulo 2) to the 48 key bits K_(i).The resulting 48 bits are split into 8 groups of 6 bits each. Each ofthese groups is processed by an S box (S_(i)), which reduces the 6 bitsto 4 bits in a non-linear operation. The eight S_(i) boxes are given inthe form of a table. The total output is 32 bits, which is permuted inthe box P. P is also given in the form of a table.

[0005]FIG. 3 illustrates the key schedule calculation. The key consistsof 64 bits, of which only 56 are used in the algorithm. Those 56 bitsshould be chosen randomly. Eight complementing error detecting bits areused to make the parity of each byte of the key odd. The selection ofthe 56 bits is performed in box PC1, together with a permutation. Theresult is split into two 28 bit words C₀ and D₀. To obtain the 48 keybits for each round, first the words C₀ and D₀ are left shifted once ortwice. A selection and a permutation PC2 are then applied to the result.The output of PC2 is the 48 bit sub-key K₁ which is used in f(R₀,K₁).The process of shifting, selecting and permutating is repeated togenerate a sub-key for each round. A table specifies how many shiftsmust be performed to obtain the next 48 bits of the sub-key for thefollowing round.

[0006] The same algorithm and key can be used for decrypting aciphertext. The initial permutation for the decrypting cancels theinverse permutation of the encrypting. Each round consists of a,so-called, Feistel cipher. It is well-known that for Feistel-ciphers theinverse operation consists of using the same rounds as used forencrypting but applying the sub-keys in inverse order. As such, thefirst decrypting round must be supplied with the same sub-key as usedfor the sixteenth encrypting round, the second decrypting round must besupplied with the same sub-key as used for the fifteenth encryptinground, etc. It is also well-known how the DES algorithm can be used inother encryption modes, such as the cipher feedback mode. In this mode,the DES algorithm is used to generate a stream of statistically randombinary bits, which are combined with the plaintext, using, for instance,an exclusive-or logic operation.

[0007] The DES algorithm, in essence, comprises an initial permutation,followed by sixteen key-dependent computations on part of the data andterminated with an inverse permutation. Each key dependent computationcomprises adding (modulo 2) key-dependent bits to the data part,followed by a non-linear operation on sub-blocks of the data part, andterminated by a permutation (linear operation) of the data part.

[0008] In general, DES is considered to be a good encryption/decryptiontool. It is, however, an open question whether or not DES has remainedsecure over the past years, particularly in view of the recent verypowerful differential cryptanalytic attacks.

[0009] It is an object of the invention to provide a cryptographicmethod and apparatus of the kind set forth which is more robust againstcryptanalytic attacks.

[0010] To achieve this object, the cryptographic method according to theinvention is characterised in that said merging step is performed byexecuting a non-linear function g for non-linearly merging said selectedpart M1 and said first key K1 in one, sequentially inseparable step. Inthe DES system, as shown in FIG. 2, in a first processing step the Rdata is bit-wise added to the key, followed by a second processing stepof non-linearly processing the result (S-boxes). According to theinvention, an algorithm is used which non-linearly merges data with akey in one step (i.e. one, sequentially inseparable step). As such,adding the key bits to the data is an integrated part of the non-linearoperation, making the system more immune against modern attacks, such asdifferential cryptanalysis.

[0011] In an embodiment of the method according to the invention asdefined in the dependent claim 2, in each round both parts of thedigital input block are processed, giving a better encryption resultthan for conventional Feistel ciphers, such as DES, where during eachround only half of the digital input block is being processed. To ensurethat the same system can be used for both encryption and decryption, onepart of the data is processed using an operation g, whereas the otherhalf is processed using the inverse operation g⁻¹. Using this scheme,decrypting is performed by using the same system but supplying the keysin reverse order to the rounds (during decryption the first non-linearstep is supplied with the key which, during encryption, was supplied tothe last non-linear step, etc ). Compared to a conventionalimplementation of a Feistel cipher with twice as many rounds, the systemaccording to the invention is faster.

[0012] The measure as defined in the dependent claim 3, wherein arelatively large data block and key, of for instance 64 bits, are splitinto smaller sub-blocks and sub-keys simplifies real-time non-linearprocessing.

[0013] In an embodiment of the method according to the invention asdefined in the dependent claim 5, a constant is used to enhance thequality of the encryption. Advantageously, the constant is predeterminedper system, forming, for instance, a customer-specific constant.Alternatively, the constant is generated using a pseudo-randomgenerator.

[0014] The measure defined in dependent claim 6 provides a way fornon-linearly merging the data sub-block and the sub-key in one step.Additionally, different inputs all result in different outputs. Thisincreases the immunity of the system against cryptanalytic attacks,compared to DES where the non-linear operation reduces the 6-bit inputsub-block to a 4-bit output sub-block, implying that the same output isproduced for four different inputs.

[0015] In an embodiment of the method according to the invention asdefined in the dependent claim 7 a constant is used to enhance thequality of the encryption. Advantageously, the constant is predeterminedper system, forming, for instance, a customer-specific constant.Alternatively, the constant is generated using a pseudo-randomgenerator.

[0016] The measure as defined in the dependent claim 8 increases thequality of the encryption even further.

[0017] In an embodiment of the method according to the invention asdefined in the dependent claim 10 individual sub-blocks corresponding todifferent parts of the digital input block are swapped to improve thequality of the encryption.

[0018] Preferably, the sub-block m_(i) comprises eight data bits. Thisfurther improves the quality of the non-linear operation compared toDES, where the non-linear operation converts six to four bits.

[0019] The measure as defined in the dependent claim 11 has theadvantage of reducing the multiplication in GF(2⁸) to operations inGF(2⁴), making it possible to achieve a simpler or more cost-effectiveimplementation.

[0020] The measure defined in the dependent claim 12 gives an effectiveway of reducing the multiplication in GF(2⁸) to operations in GF(2⁴).

[0021] An embodiment of the method according to the invention ischaracterised in that β is a root of an irreducible polynomialh(x)=x⁴+x³+x²+x+1 over GF(2). This is a preferred choice for β, allowingthe use of the so-called shifted polynomial base.

[0022] An embodiment of the method according to the invention ischaracterised in that calculating the inverse of an element of GF(2⁸)comprises performing a series of calculations in GF(2⁴). By reducing theinverse operation in GF(2⁸) to operations in GF(2⁴) a simpler ormore-cost effective implementation can be achieved.

[0023] An embodiment of the method according to the invention ischaracterised in that calculating the inverse of said element bcomprises calculating (a₀ ²+a₀a₁+a₁ ²β)⁻¹((a₀+a₁)+a₁D). This is aneffective way of reducing the inverse operation in GF(2⁸) to operationsin GF(2⁴).

[0024] An embodiment of the method according to the invention ischaracterised in that said first key K1 comprises 64 data bits andwherein each of said sub-keys k₁ comprises eight data bits. By using alarge key the quality of the encryption is increased.

[0025] To achieve the object of the invention, the apparatus accordingto the invention is characterised in that said cryptographic processingmeans is arranged to perform said merging by executing a non-linearfunction g for non-linearly merging said selected part M1 and said firstkey K1 in one, sequentially inseparable step.

[0026] These and other aspects of the invention will be apparent fromand elucidated with reference to the embodiments shown in the drawings.

[0027]FIG. 1 shows the processing steps for the DES system,

[0028]FIG. 2 illustrates details of merging the data with the key andthe non-linear operation in DES,

[0029]FIG. 3 illustrates details of the key calculation in DES,

[0030]FIG. 4 shows a block diagram of the cryptographic apparatus,

[0031]FIG. 5 illustrates separate processing of two parts of the digitalinput block,

[0032]FIG. 6 illustrates processing of a part of the digital input blockin the form of sub-blocks,

[0033]FIG. 7 illustrates processing of two parts in the form ofsub-blocks, and

[0034]FIG. 8 shows an overall encryption system.

[0035]FIG. 4 shows a block diagram of the cryptographic apparatus 400according to the invention. For the purpose of explaining the invention,the system is described in the electronic code book mode. Personsskilled in the art will be able to use the system in other modes aswell.The apparatus 400 comprises first input means 410 for obtaining adigital input block M. The digital input block M may be any suitablesize. Preferably, M is sufficiently large, for instance 128 bits, toobtain a reasonably secure encryption result. The apparatus 400 furthercomprises cryptographic processing means 420 for converting the digitalinput block into a digital output block. Advantageously, the digitaloutput block has substantially equal length as the digital input block.The apparatus 400 comprises output means 430 for outputting the digitaloutput block. Basically, the cryptographic processing means 420 convertsthe digital input block M into the digital output block by merging aselected part M1 of the digital input block M with a first key K1,producing a data block B1 which non-linearly depends on M1 and K1. Themerging is performed in one, sequentially inseparable step. The digitaloutput block is derived from B1 and the remaining part of M, which isnot part of M1. To obtain the first key K1, the cryptographic apparatus400 comprises second input means 440. As will be described in moredetails below, a second part M2 of the digital input block may benon-linearly merged with a second key K2, preferably, using an operationinverse to the operation for merging M1 and K1, producing a data blockB2. In this case, the digital output block also depends on B2. To obtainthe second key K2, the cryptographic apparatus 400 comprises third inputmeans 450.

[0036] It will be appreciated that the cryptographic apparatus 400 maybe implemented using a conventional computer, such as a PC, or using adedicated encryption/decryption device. The digital input block may beobtained in various ways, such as via a communication network, from adata storage medium, such as a harddisk or floppy disk, or directlybeing entered by a user. Similarly, the digital output block may beoutput in various ways, such as via a communication network, stored on adata storage medium, or displayed to a user. Preferably, secure meansare used to this end. The cryptographic processing means 420 may be aconventional processor, such as for instance used in personal computers,but may also be a dedicated cryptographic processor. The cryptographicapparatus 400 may, in part or in whole, be implemented on a smart-card.

[0037] In the remainder of the document details of the cryptographicconversion are given for encrypting blocks of 128 bits of plaintext intocorresponding blocks of 128 bits of ciphertext. Persons skilled in theart will be able to use the system for other block sizes as well. Datasizes shown in the Figures are given for reasons of clarity and shouldbe treated as examples only. The description focuses on the non-linearprocessing of the data and the merging of the key with the data asperformed in one round. As such the invention can be applied in a systemas shown in FIG. 1, comprising multiple rounds and also including alinear operation on the data block in each round.

[0038] As shown in FIG. 5, the message block M of 128 bits is dividedinto a first part M1 and a second part M2 (a left and a right block).Preferably, both parts are of equal size, 64 bits. It will beappreciated that M1 and M2 may also be derived from M using a morecomplicated selection process. M1 is processed using a non-linearfunction g. In principle, it is not required to process M2 during thesame round. Advantageously, M2 is processed in the same round using theinverse function g⁻¹. Each of the functions g and g⁻¹ non-linearlymerges, M1 or, respectively, M2 with a key K1 or, respectively K2.Preferably, the data parts and the keys have the same size. Since it isdifficult to implement a good non-linear operation on a large data blockand non-linearly processing a large data block is time consuming, thedata parts M1 and M2 are split into sub-blocks. FIG. 6 illustrates thisfor M1. FIG. 7 illustrates the splitting of M1 and M2. Using 64-bit dataparts M1 and M2, advantageously, the parts are each split into eight8-bit elements, where M1=(m₀, m₁, . . . , m₇) and M2=(m₈, m₉, . . .,m15). The two keys K1 and K2 may be derived from a larger key, forinstance, by splitting a 128 bit key into two 64-bit keys K1 and K2. Thetwo keys K1 and K2 may be split further. Using 64-bit keys,advantageously, each key is split into 8-bit sub-keys, giving a total ofsixteen 8-bit sub-keys k_(j), j=0 . . 15. Each of the sub-keys k_(j) isassociated with the corresponding sub-block m_(j). Each sub-block isprocessed separately. Preferably, the sub-blocks are processed inparallel. If preferred, the sub-blocks relating to one round may also beserially processed. The first group of sub-blocks, forming M1, are eachprocessed by a cipher function f. The second group of sub-blocks areeach processed by the inverse function f⁻¹.

[0039] For the cryptographic operations, an n-bit sub-block or sub-keyis considered to represent an element of GF(2^(n)) (Galois Field). Alloperations are, therefore, in GF(2^(n)).

[0040] In its basic form, the cipher function f has two inputs m_(j) andk_(j) and one output t_(j) as also illustrated in FIGS. 6 and 7, wheret_(j)=f(m_(j), k_(j)), for j=0 to 7. In the basic form, the cipherfunction f involves one operation h(b_(j), k_(j)) with an output ofsubstantially equal size as b_(j). The function h has a data sub-blockb_(j) and a sub-key k_(j) as input, where b_(j)=m_(j) for the basic formof the cipher function f. The function f (in this embodiment the same asthe function h) is defined as follows for j=0 . . 7: $\begin{matrix}{{{h( {b_{j},k_{j}} )} = \quad ( {b_{j} \cdot k_{j}} )^{- 1}},} & {{{{if}\quad b_{j}} \neq 0},{k_{j} \neq 0},{{{and}\quad b_{j}} \neq k_{j}}} \\{\quad {( k_{j} )^{- 2},}} & {{{if}\quad b_{j}} = 0} \\{\quad {( b_{j} )^{- 2},}} & {{{if}\quad k_{j}} = 0} \\{\quad {0,}} & {{{if}\quad b_{j}} = k_{j}}\end{matrix}$

[0041] Similarly, in its basic form the inverse cipher function f⁻¹ hastwo inputs m_(j) and k_(j) and one output t_(j) as also illustrated inFIGS. 6 and 7, where t_(j)=f⁻¹(m_(j), k_(j)), for j=8 to 15. The inversecipher function f⁻¹ involves also one operation, h⁻¹(b_(j)·k_(j)) withan output of substantially equal size as b_(j). The function h⁻¹ is theinverse of h. As before, b_(j)=m_(j) in the basic form of the cipherfunction f⁻¹. The function f⁻¹ (in this embodiment the same as thefunctions h⁻¹) is defined as follows for j=8 . . 15: $\begin{matrix}{{{h^{- 1}( {b_{j},k_{j}} )} = \quad ( {b_{j} \cdot k_{j}} )^{- 1}},} & {{{{if}\quad b_{j}} \neq 0},{k_{j} \neq 0},{{{and}\quad {b_{j} \cdot k_{j}^{2}}} \neq 1}} \\{\quad {k_{j},}} & {{{if}\quad b_{j}} = 0} \\{\quad {( b_{j} )^{- \frac{1}{2}},}} & {{{if}\quad k_{j}} = 0} \\{\quad {0,}} & {{{if}\quad {b_{j} \cdot k_{j}^{2}}} = 1}\end{matrix}$

[0042] In a further embodiment, the outputs t_(j) of the cipherfunctions f(t_(j)=f(m_(j), k_(j)), for j=0 to 7) and the outputs of theinverse cipher function f⁻¹(t_(j)=f⁻¹(m_(j), k_(j)), for j=8 to 15) areswapped in the following manner: t_(j)<−>t_(15−j) for j=0 to 7. This isillustrated in FIG. 7.

[0043] In a further embodiment, a constant is added (bit-wise module 2)to each data sub-block m_(j) before executing the function h.Preferably, eight independent constants p_(j) (j=0 . . 7) are used, eachbeing added to the corresponding data sub-block m_(j). The same functionh is used as before, now operating on b_(j)=m_(j)⊕p_(j). The cipherfunction f is now defined as follows: b_(j) = m_(j) ⊕ p_(j)$\begin{matrix}{{{h( {b_{j},k_{j}} )} = \quad ( {b_{j} \cdot k_{j}} )^{- 1}},} & {{{{if}\quad b_{j}} \neq 0},{k_{j} \neq 0},{{{and}\quad b_{j}} \neq k_{j}}} \\{\quad {( k_{j} )^{- 2},}} & {{{if}\quad b_{j}} = 0} \\{\quad {( b_{j} )^{- 2},}} & {{{if}\quad k_{j}} = 0} \\{\quad {0,}} & {{{if}\quad b_{j}} = k_{j}}\end{matrix}$

[0044] Similarly, for the inverse cipher function f⁻¹ also a constant isadded (bit-wise module 2) to each data sub-block m_(j). To allow theinverse function f⁻¹ to be used to decrypt text encrypted using thecipher function f, the constant is added after the function h.Preferably, the same eight independent constants p_(j) (j=0 . . 7) areused as used for the cipher function f. Now, the constants p_(j) arebeing added to the 15-j-th stream (j=0 . . 7). As a consequence, theinverse cipher function f⁻¹ involves the following two operations (j=8 .. 15): $\begin{matrix}{{{h^{- 1}( {b_{j},k_{j}} )} = \quad ( {b_{j} \cdot k_{j}} )^{- 1}},} & {{{{if}\quad b_{j}} \neq 0},{k_{j} \neq 0},{{{and}\quad {b_{j} \cdot k_{j}^{2}}} \neq 1}} \\{\quad {k_{j},}} & {{{if}\quad b_{j}} = 0} \\{\quad {( b_{j} )^{- \frac{1}{2}},}} & {{{if}\quad k_{j}} = 0} \\{\quad {0,}} & {{{if}\quad {b_{j} \cdot k_{j}^{2}}} = 1}\end{matrix}$

 t_(j)=h⁻¹(b_(j)·k_(j))⊕p_(15−j)

[0045] Finally, t_(j) and t_(15−j) are swapped (j=0 . . 7).

[0046] In a further embodiment, a further constant is added (bit-wisemodule 2) to each data sub-block m_(j) after executing the function h.Preferably, eight independent constants d_(j) (j=0 . . 7) are used, eachbeing added to the corresponding data sub-block m_(j). The same functionh is used as before. The cipher function f is now defined as follows:

b_(j)=m_(j)⊕p_(j) $\begin{matrix}{{{h( {b_{j},k_{j}} )} = \quad ( {b_{j} \cdot k_{j}} )^{- 1}},} & {{{{if}\quad b_{j}} \neq 0},{k_{j} \neq 0},{{{and}\quad b_{j}} \neq k_{j}}} \\{\quad {( k_{j} )^{- 2},}} & {{{if}\quad b_{j}} = 0} \\{\quad {( b_{j} )^{- 2},}} & {{{if}\quad k_{j}} = 0} \\{\quad {0,}} & {{{if}\quad b_{j}} = k_{j}}\end{matrix}$

 t_(j)=h(b_(j), k_(j))⊕d_(j)

[0047] Similarly, for the inverse cipher function f⁻¹ also a constant isadded (bit-wise module 2) to each data sub-block m_(j). To allow theinverse function f⁻¹ to be used to decrypt text encrypted using thecipher function f, the constant is added before executing the functionh. Preferably, the same eight independent constants d_(j)(j=0 . . 7) areused as used for the cipher function f. Now, the constants d_(j) arebeing added to the 15-j-th stream (j=0 . . 7). The same function h⁻¹ isused as before, now operating on b_(j)=m_(j)⊕d_(15−j). As a consequence,the inverse cipher function f⁻¹ involves the following three operations(j=8 . . 15):

b_(j)=m_(j)⊕d¹⁵⁻¹. $\begin{matrix}{{{h^{- 1}( {b_{j},k_{j}} )} = \quad ( {b_{j} \cdot k_{j}} )^{- 1}},} & {{{{if}\quad b_{j}} \neq 0},{k_{j} \neq 0},{{{and}\quad {b_{j} \cdot k_{j}^{2}}} \neq 1}} \\{\quad {k_{j},}} & {{{if}\quad b_{j}} = 0} \\{\quad {( b_{j} )^{- \frac{1}{2}},}} & {{{if}\quad k_{j}} = 0} \\{\quad {0,}} & {{{if}\quad {b_{j} \cdot k_{j}^{2}}} = 1}\end{matrix}$

 t_(j)=h⁻¹(b_(j)·k_(j))⊕p_(15−j)

[0048] Finally, t_(j) and t_(15−j) are swapped (j=0 . . 7).

[0049] It will be appreciated that it is also possible to use theconstants d_(j) without using constants p_(j).

[0050] In a further embodiment, the cipher function f raises the outcomeof the function h to a power of two. The same function h is used asbefore. The cipher function f is now defined as follows:

b_(j)=m_(j)⊕p_(j) $\begin{matrix}{{{h( {b_{j},k_{j}} )} = \quad ( {b_{j} \cdot k_{j}} )^{- 1}},} & {{{{if}\quad b_{j}} \neq 0},{k_{j} \neq 0},{{{and}\quad b_{j}} \neq k_{j}}} \\{\quad {( k_{j} )^{- 2},}} & {{{if}\quad b_{j}} = 0} \\{\quad {( b_{j} )^{- 2},}} & {{{if}\quad k_{j}} = 0} \\{\quad {0,}} & {{{if}\quad b_{j}} = k_{j}}\end{matrix}$

 s_(j)=h(b_(j), k_(j))^(2fi)

t_(j)=s_(j)⊕d_(j)

[0051] Similarly, the inverse cipher function f⁻¹ also raises a datasub-block to a power of 2. To allow the inverse function f⁻¹ to be usedto decrypt text encrypted using the cipher function f, the additionaloperation is performed before executing the function h. The samefunction h⁻¹ is used as before, now operating on b_(j)=m_(j)⊕d_(15−j).As a consequence, the inverse cipher function f⁻¹ involves the followingfour operations (j=8 . . 15):

q_(j)=m_(j)⊕d_(15−j)

b_(j)=q_(j) ^(2f(j−7)) $\begin{matrix}{{{h^{- 1}( {b_{j},k_{j}} )} = \quad ( {b_{j} \cdot k_{j}} )^{- 1}},} & {{{{if}\quad b_{j}} \neq 0},{k_{j} \neq 0},{{{and}\quad {b_{j} \cdot k_{j}^{2}}} \neq 1}} \\{\quad {k_{j},}} & {{{if}\quad b_{j}} = 0} \\{\quad {( b_{j} )^{- \frac{1}{2}},}} & {{{if}\quad k_{j}} = 0} \\{\quad {0,}} & {{{if}\quad {b_{j} \cdot k_{j}^{2}}} = 1}\end{matrix}$

 t_(j)=h⁻¹(b_(j)·k_(j))⊕p_(15−j)

[0052] Finally, t_(j) and t_(15−j) are swapped (j=0 . . 7).

[0053] It will be appreciated that it is also possible to use theoperation of raising to a power of 2 without using one or both of theconstants d_(j) and p_(j).

[0054] For decrypting the same algorithm is used as for encrypting, butthe sub-keys are swapped: instead of k_(j), k_(15−j) is used, j=0 . .15.

The Multiplication in GF(2⁸)

[0055] In principle, for the invention any multiplication in GF(2⁸) maybe used. An example of a VLSI implementation of multiplications inGF(2^(m)) is given in [P. A. Scott, “A fast VLSI multiplier forGF(2^(m))”, IEEE Journal on selected areas in communications, Vol.SAC-4, No. 1, January 1986, pages 62-66]. Advantageously, the followingmechanism is used to reduce the multiplication in GF(2⁸) to a series ofmultiplications and additions in GF(2⁴).

[0056] Let in GF(2⁴), β be the non-trivial root of β⁵=1 (non-trivialmeans β≠1 or, equally, β is the root of the irreducible polynomialh(x)=x⁴+x³+x²+x+1 over GF(2), since: x⁵+1=(x+1)(x⁴+x³+x²+x+1) ). Thenormal base β,β²,β⁴, β⁸ is taken as the base in GF(2⁴). Since accordingto the polynomial β⁸=β³, this is the same as the so-called shiftedpolynomial base: β,β²,β³,β⁴.

[0057] Let D be an element of GF(2⁸), defined as a root of theirreducible polynomial k(x)=x²+x+β over GF(2⁴). Every element of GF(2⁸)can be represented as a₀+a₁·D, with a₀ and a₁ being elements of GF(2⁴).In binary terminology, the number b of GF(2⁸) can be represented usingeight bits, arranged as a vector (a₀, a₁), with a₀, a₁ having four bits,representing numbers of GF(2⁴). As such, the base in GF(2⁸) is: β, β²,β³, β⁴, Dβ, Dβ², Dβ³, Dβ⁴. Two elements b and c of GF(2⁸), representedas b=a₀+a₁·D and c=a₂+a₃·D, with a_(i)

GF(2⁴), can be multiplied as follows:

b·c=(a ₀ +a ₁ ·D)·(a ₂ +a ₃ ·D)= a ₀ a ₂+(a ₁ a ₂ +a ₀ a ₃)·d+a ₁ a ₃ ·D².

[0058] Using the fact that D is a root of k(x), which implies that:D²=D+β, this gives the multiplication result:

b·c=(a ₀ a ₂ +a ₁ a ₃β)+(a ₁ a ₂ +a ₀ a ₃ +a ₁ a ₃)·D.

[0059] This has reduced the multiplication of two elements of GF(2⁸) toa series of multiplications and additions in GF(2⁴).

The Inverse in GF(2⁸)

[0060] In principle any known method may be used to calculate theinverse of an element in GF(2⁸). Advantageously, if the previous methodhas been used to reduce the multiplication in GF(2⁸) to a multiplicationin GF(2⁴), then the following method is used to reduce the inverseoperation in GF(2⁸) to an inverse operation in GF(2⁴).

[0061] The inverse b⁻¹ of an element b in GF(2⁸), where b is representedas b=a₀+a₁·D, with a₁

GF(2⁴), is given by:b⁻¹ = (a₀² + a₀a₁ + a₁²β)⁻¹ ⋅ (a₀ + a₁ + a₁D),  since:$\begin{matrix}{b^{- 1}{b = {( {a_{0}^{2} + {a_{0}a_{1}} + {a_{1}^{2}\beta}} )^{- 1} \cdot ( {a_{0} + a_{1} + {a_{1}D}} ) \cdot ( {a_{0} + {a_{1}D}} )}}} \\{{= {( {a_{0}^{2} + {a_{0}a_{1}} + {a_{1}^{2}\beta}} )^{- 1} \cdot ( {a_{0}^{2} + {a_{0}a_{1}} + {a_{1}^{2}D} + {a_{1}^{2}{D2}^{2}}} )}},}\end{matrix}$

[0062] and since D²+D =β, this gives: b⁻¹·b=1.

[0063] In this way the inverse operation in GF(2⁸) is reduced to aninverse operation in GF(2⁴) and a series of multiplications andadditions in GF(2⁴).

Multiplication in GF(2⁴)

[0064] In principle, any multiplication in GF(2⁴) may be used.Advantageously, as described before, the shifted polynomial base β, β²,β³, β⁴ is taken as the base in GF(2⁴), where β is the root of theirreducible polynomial h(x)=x⁴+x³+x²+x+1 over GF(2), and β⁵=1 in GF(2⁴).Since β is a root of h, this implies:

β⁴+β³+β²+β=1.

[0065] Assuming that the base elements are named e₁, e₂, e₃ and e₄, withe_(i)=β^(i), the base elements are multiplied in the following way,using the definition of β:

e ₁ ·e ₁=β·β=β² =e ₂

e ₁ ·e ₂=β·β²=β³ =e ₃

e ₁ ·e ₃=β·β³=β⁴ =e ₄

e ₁ ·e ₄=β·β⁴=β⁵=1=e ₁ +e ₂ +e ₃ +e ₄

e ₂ ·e ₂=β²·β²=β⁴ =e ₄

e ₂ ·e ₃=β²·β³=β⁵=1=e ₁ +e ₂ +e ₃ +e ₄

e ₂ ·e ₄=β²·β⁴=β⁶ =β=e ₁

e ₃ ·e ₃=β³·β³=β⁶ =β=e ₁

e ₃ ·e ₄=β³·β⁴=β⁷=β² =e ₂

e ₄ ·e ₄=β⁴·β⁴=β⁸=β³ =e ₃

[0066] This in principle defines the multiplication in GF(2⁴). In binaryterms the multiplication can be seen as follows. With respect to thebase, each element b in GF(2⁴) can be represented asb=b₀e₁+b₁e₂+b₂e₃+b₃e₄, with b_(i)

GF(2). As such, the element b can be represented by a 4-dimensionalvector with binary components (b₁, b₁, b₂, b₃). On a micro-processorthis can be represented using a nibble. In binary terms, themultiplication of two elements b and c in GF(2⁴) can be seen as follows,assuming the two elements are represented by b=(b₀, b₁, b₂, b₃) andc=(c₀, c₁, c₂, c₃). Multiplying the two elements in the normal waygives: $\begin{matrix}{{b \cdot c} = \quad {{( {b_{0}c_{0}} )\beta^{2}} + {( {{b_{0\quad}c_{1}} + {b_{1}c_{0}}} )\beta^{3}} + {( {{b_{0}c_{2}} + {b_{1}c_{1}} + {b_{2}c_{0}}} )\beta^{4}} +}} \\{\quad {{( {{b_{0}c_{3}} + {b_{1}c_{2}} + {b_{2}c_{1}} + {b_{3}c_{0}}} )\beta^{5}} + {( {{b_{1}c_{3}} + {b_{2}c_{2}} + {b_{3}c_{1}}} )\beta^{6}} +}} \\{\quad {{( {{b_{2}c_{3}} + {b_{3}c_{2}}} )\beta^{7}} + {( {b_{3}c_{3}} )\beta^{8}}}}\end{matrix}$

[0067] Using the definition of β to replace β⁵ by β⁴+β³+β²+β, β⁶ by β,β⁷ by β², and β⁸ by β³, gives the following four components:

b·c=(b ₁ c ₃ +b ₂ c ₂ +b ₃ c ₁ +b ₀ c ₃ +b ₁ c ₂ +b ₂ c ₁ +b ₃ c ₀)β+(b₀ c ₀ +b ₂ c ₃ +b ₃ c ₂ +b ₀ c ₃ +

b ₁ c ₂ +b ₂ c ₁ +b ₃ c ₀)β²+(b ₀ c ₁ +b ₁ c ₀ +b ₃ c ₃ +b ₀ c ₃ +b ₁ c₂ +b ₂ c ₁ +b ₃ c ₀)β³+(b ₀ c ₂ +b ₁ c ₁ +

b ₂ c ₀ +b ₀ c ₃ +b ₁ c ₂ +b ₂ c ₁ +b ₃ c ₀)β⁴

[0068] The result of the multiplication, in binary terms, is, therefore,given by:b.c = (b₁c₃ + b₂c₂ + b₃c₁ + b_(0  )c₃ + b₁c₂ + b₂c₁ + b₃c₀, b₀c₀ + b₂c₃ + b₃c₂ + b_(0  )c₃ + b₁c₂ + b₂c₁ + b₃c₀, b₀c₁ + b₁c₀ + b₃c₃ + b₀c₃ + b₁c₂ + b₂c₁ + b₃c₀, b₀c₂ + b₁c₁ + b₂c₀ + b₀c₃ + b₁c₂ + b₂c₁ + b₃c₀)

Inverse Operation in GF(2⁴)

[0069] Using the normal base β, β², β⁴, β⁸, each element x of GF(2⁴) canbe written as b=a·β+b·β²+c·β⁴+d·β⁸, with a, b, c, d

GF(2). As such, each element can be represented by a 4-dimensionalvector (a, b, c, d).

[0070] In order to obtain the inverse of b (b⁻¹):

[0071] calculate the following intermediate results: ab, a{overscore(b)}, {overscore (a)}b, bc, {overscore (b)}c, b{overscore (c)}, cd,{overscore (c)}d, c{overscore (d)}, da, {overscore (d)}a, d{overscore(a)}, where ab is the binary AND of a and b (a AND b) and {overscore(a)} is the binary complement of a (NOT a).

[0072] calculate the first bit of b⁻¹ by using cd, {overscore (c)}d,c{overscore (d)}, {overscore (a)}b, b{overscore (c)}, and {overscore(d)}a as follows:

[0073] (cd) OR ({overscore (a)} AND c{overscore (d)}) OR ({overscore(c)}d AND {overscore (a)}b) OR (b{overscore (c)} AND {overscore (d)}a)

[0074] calculate the second bit of b⁻¹ by using da, {overscore (d)}a,d{overscore (a)}, {overscore (b)}c, c{overscore (d)}, {overscore (a)}bas follows:

[0075] (da) OR ({overscore (b)} AND d{overscore (a)}) OR ({overscore(d)}a AND {overscore (b)}c) OR (c{overscore (d)} AND {overscore (a)}b)

[0076] calculate the third bit of b⁻¹ by using ab, {overscore (a)}b,a{overscore (b)}, {overscore (c)}d, d{overscore (a)}, {overscore (b)}cas follows:

[0077] (ab) OR ({overscore (c)} AND a{overscore (b)}) OR ({overscore(a)}b AND {overscore (c)}d) OR (d{overscore (a)} AND {overscore (b)}c)

[0078] calculate the fourth bit of b⁻¹ by using bc, {overscore (b)}c,b{overscore (c)}, {overscore (d)}a, a{overscore (b)}, {overscore (c)}das follows:

[0079] (bc) OR ({overscore (d)} AND b{overscore (c)}) OR ({overscore(b)}c AND {overscore (d)}a) OR (a{overscore (b)} AND {overscore (c)}d)

[0080] Besides being used in a DES-like system as shown in FIG. 1, adedicated system can be built around the non-linear algorithm of theinvention. Such a system is shown in FIG. 8. In this system, the blocksare processed using the non-linear operation NL of the invention and alinear operation LIN. The first step is the non-linear operation. Thisis followed by an iteration of the linear operation followed by thenon-linear operation. It is expected that a sufficiently safe system isachieved by performing six non-linear operations (i.e. using fiverounds), provided that the linear operation mixes the data bitsthoroughly. Preferably, 15 rounds are used. Each of the linearoperations is the same. Also, each of the non-linear operations is thesame, but each non-linear operation uses a different key of 128 bits.Advantageously, keys are derived from one global key of, for instance,256 bits, using a key schedule calculation. The same key is used forencryption as well as decryption. In most cases the key is providedusing a smart-card. For the linear operation, advantageously, instead ofa permutation a more complex matrix is used. As described before, inaddition to the key, each non-linear operation may, optionally, use aconstant C of 128 bits, which is split in the constants p_(j) and d_(j).The constant may be the same for each operation. Advantageously, eachnon-linear operations is provided with a separate constant. Theconstants may be predetermined per system (e.g. a customer-specificconstant). Alternatively, the constant is generated using apseudo-random generator.

1. A method for cryptographically converting a digital input block intoa digital output block; said conversion comprising the step of merging aselected part M1 of said digital input block with a first key K1 andproducing a data block B1 which non-linearly depends on said selectedpart M1 and said first key K1, and where a selected part of said digitaloutput block is derived from said data block B1, characterised in thatsaid merging step is performed by executing a non-linear function g fornon-linearly merging said selected part M1 and said first key K1 in one,sequentially inseparable step.
 2. A method as claimed in claim 1,wherein said method comprises the steps of: splitting said digital inputblock into said selected part M1 and a second part M2 before executingsaid merging step; executing a non-linear function g⁻¹ to merge saidsecond block M2 with a second key K2 in one, sequentially inseparablestep, producing a data block B2 as output; said non-linear function g⁻¹being the inverse of said non-linear function g; and forming combineddata from data in said data block B1 and in said data block B2; saiddigital output block being derived from said combined data.
 3. A methodas claimed in claim 1, wherein said merging step comprises the steps of:splitting said selected part M1 in a first plurality n of sub-blocks m₀,. . , m_(n−1), of substantially equal length; splitting said first keyK1 in said first plurality n of sub-keys k₀, . . , k_(n−1),substantially having equal length, the sub-key k_(i), corresponding tothe sub-block m_(i), for i=0 to n−1; and separately processing each ofsaid sub-blocks m_(i) by executing for each of said sub-blocks m_(i) asame non-linear function h for non-linearly merging a sub-block b_(i)derived from said sub-block m_(i) with said corresponding sub-key k_(i)in one, sequentially inseparable step and producing said first pluralityof output sub-blocks h(b_(i), k_(i)); and combining sub-blocks t_(i)derived from said first plurality of said output sub-blocks h(b_(i),k_(i)) to form said data block B1.
 4. A method as claimed in claim 2 and3, wherein said step of executing said non-linear function g⁻¹ comprisesthe steps of: splitting said second part M2 in said first plurality n ofsub-blocks m_(n), . . m_(2n−1), substantially having equal length;splitting said key K2 in said first plurality n of sub-keys k_(n), . . ,k_(2n−1), substantially having equal length, the sub-key k_(i)corresponding to the sub-block m_(i), for i=n to 2n−1; executing foreach of said sub-blocks mi a same non-linear function h⁻¹ fornon-linearly merging a sub-block b_(i) derived from said sub-block m_(i)with said corresponding sub-key k_(i) and producing said first pluralityof an output sub-block h⁻¹(b_(i), k_(i)); said function h⁻¹ being theinverse of said function h; and combining sub-blocks t_(i) derived fromsaid first plurality of output sub-blocks h⁻¹(b_(i), k_(i)) to form saiddata block B2.
 5. A method as claimed in claim 3, wherein said sub-blockb_(i) is derived from said sub-block m_(i) by bit-wise adding a constantp_(i) to said sub-block m_(i), said constant p_(i) substantially havingequal length as said sub-block m_(i).
 6. A method as claimed in claim 3,characterised in that said function h(b_(i),k_(i)) is defined by:h(b_(i),k_(i))=(b_(i)·k_(i)i)⁻¹, if b_(i)≠0, k_(i)≠0, and b_(i)≠k_(i)h(b_(i),k_(i))=(k_(i))⁻², if b_(i)=0 h(b_(i),k_(i))=(q_(i))⁻², ifk_(i)=0 h(b_(i),k_(i))=0, if b_(i)=k_(i), where the multiplication andinverse operations are predetermined Galois Field multiplication andinverse operations.
 7. A method as claimed in claim 6, wherein derivingsaid sub-blocks t_(i) from said output sub-blocks h(b_(i), k_(i))comprises bit-wise adding a constant d_(i) to said output sub-blockh(b_(i),k_(i)), said constant d_(i) substantially having equal length assaid sub-block m_(i).
 8. A method as claimed in claim 7, whereinderiving said sub-blocks t_(i) from said output sub-blocks h(b_(i),k_(i)) further comprises raising h(b_(i),k_(i))⊕d_(i) to a power 2^(i),using said predetermined Galois Field multiplication.
 9. A method asclaimed in claim 6, wherein deriving said sub-blocks t_(i) from saidoutput sub-blocks h(b_(i), k_(i)) comprises raising said outputsub-block h(b_(i),k_(i)) to a power 2^(i), using said predeterminedGalois Field (GF) multiplication.
 10. A method as claimed in claim 4,wherein said combined data is formed by: swapping the sub-blocks t_(i)and t_(2n−1−i)for i=0 to n−1; and concatenating the swapped sub-blocks.11. A method as claimed in claim 6, wherein said sub-block m_(i)comprises eight data bits, and wherein said multiplying of two elementsb and c of GF(2⁸) comprises executing a series of multiplications andadditions in GF(2⁴).
 12. A method as claimed in claim 11, wherein saidmultiplying of said two elements b and c comprises: representing b asa₀+a₁·D and c as a₂+a₃·D, where a₀, a₁, a₂ and a₃ are elements ofGF(2⁴), and where D is an element of GF(2⁸) defined as a root of anirreducible polynomial k(x)=x²+x+β over GF(2⁴), where β is an element ofGF(2⁴); and calculating (a₀a₂+a₁a₃β)+(a₁a₂+a₀a₃+a₁a₃)·D.
 13. A method asclaimed in claim 12, wherein β is a root of an irreducible polynomialh(x)=x⁴+x³+x²+x+1 over GF(2).
 14. A method as claimed in claim 6,wherein said sub-block m_(i) comprises eight data bits, and whereincalculating the inverse of an element b of GF(2⁸) comprises performing aseries of calculations in GF(2⁴).
 15. A method as claimed in claim 14,wherein calculating the inverse of said element b comprises:representing b as a₀+a₁·D, where a₀ and a₁ are elements of GF(2⁴), andwhere D is an element of GF(2⁸) defined as a root of an irreduciblepolynomial k(x)=x²+x+β over GF(2⁴), where β is an element of GF(2⁴); andcalculating (a₀ ²+a₀a₁+a₁ ²β)⁻¹((a₀+a₁)+a₁D).
 16. An apparatus forcryptographically converting a digital input block into a digital outputblock; said apparatus comprising: first input means for obtaining saiddigital input block; second input means for obtaining a first key K1;cryptographic processing means for converting the digital input blockinto the digital output block; said conversion comprising merging aselected part M1 of said digital input block with said first key K1 andproducing a data block B1 which non-linearly depends on said selectedpart M1 and said first key K1, and where a selected part of said digitaloutput block is derived from said data block B1; and output means foroutputting said digital output block, characterised in that saidcryptographic processing means is arranged to perform said merging byexecuting a non-linear function g for non-linearly merging said selectedpart M1 and said first key K1 in one, sequentially inseparable step. 17.An apparatus as claimed in claim 16, wherein said apparatus comprisesthird input means for obtaining a second key K2, and wherein saidconversion comprises: splitting said digital input block into saidselected part M1 and a second part M2 before performing said merging;executing a non-linear function g⁻¹ to merge said second block M2 withsaid second key K2 in one, sequentially inseparable step, producing adata block B2 as output; said non-linear function g⁻¹ being the inverseof said non-linear function g; and forming combined data from data insaid data block B1 and in said data block B2; said digital output blockbeing derived from said combined data.
 18. An apparatus as claimed inclaim 16, wherein said merging step comprises the steps of: splittingsaid selected part M1 in a first plurality n of sub-blocks m₀, . . ,m_(n−1) of substantially equal length; splitting said first key K1 insaid first plurality n of sub-keys k₀, . . , k_(n−1) , substantiallyhaving equal length, the sub-key k_(i) corresponding to the sub-blockm_(i), for i=0 to n−1; and separately processing each of said sub-blocksm_(i) by executing for each of said sub-blocks m_(i) a same non-linearfunction h for non-linearly merging a sub-block b_(i) derived from saidsub-block m_(i) with said corresponding sub-key k_(i) in one,sequentially inseparable step and producing said first plurality ofoutput sub-blocks h(b_(i), k_(i)); and combining sub-blocks t_(i)derived from said first plurality of said output sub-blocks h(b_(i),k_(i)) to form said data block B1.
 19. An apparatus as claimed in claim18, characterised in that said function h(b_(i),k_(i)) is defined by:h(b_(i),k_(i))=(b_(i)·k_(i))⁻¹, if b_(i)≠0, k_(i)≠0, and b_(i)≠k_(i)h(b_(i),k_(i))=(k_(i))⁻², if b_(i)=0 h(b_(i),k_(i))=(b_(i))⁻², ifk_(i)=0 h(b_(i),k_(i))=0, if b_(i)=k_(i), where the multiplication andinverse operations are predetermined Galois Field multiplication andinverse operations.
 20. An apparatus as claimed in claim 19, whereinsaid sub-block m_(i) comprises eight data bits, and wherein saidmultiplying of two elements b and c of GF(2⁸) comprises: representing bas a₀+a₁·D and c as a₂+a₃·D, where a₀, a₁, a₂ and a₃ are elements ofGF(2⁴), and where D is an element of GF(2⁸) defined as a root of anirreducible polynomial k(x)=x²+x+β over GF(2⁴), where β is an element ofGF(2⁴); and calculating (a₀a₂+a₁a₃β)+(a₁a₂+a₀a₃+a₁a₃)·D; and whereincalculating the inverse of an element b of GF(2⁸) comprises calculating(a₀ ²+a₀a₁+a₁ ²β)⁻¹((a₀+a₁)+a₁D).